Chapter 4: Configuring File and Keyword Filters

Applies to: Forefront Security for SharePoint

Topic Last Modified: 2008-02-20

Even with the excellent protection that Forefront Security for SharePoint offers through multiple scanning engines, there is always a risk that an infected file will go undetected. Businesses are also concerned about files being posted to document libraries that contain inappropriate language, confidential corporate information, or violate corporate policies in other ways.

So, to add another layer of protection, Forefront Security for SharePoint offers two types of filters: file filters and keyword filters. They can help identify files as they are being uploaded to or downloaded from the SharePoint server.

File filters can be set to screen the external characteristics of a file—its name, its type (.exe, .gif, etc.), and its size. For example, you may not want employees downloading .exe or MP3 files, or files over a size limit you specify.

Keyword filters screen a file’s contents and can be used to expose those that, for example, contain offensive or inappropriate language or confidential business information.

Filters are really the first line of defense because they are applied before virus scanning. Forefront Security for SharePoint filters files first. Any that pass through the filters then go through the virus scanning process.

Filtered files can be allowed to pass through to the SharePoint site, or they can be blocked, quarantined, or deleted, depending on the type of filter. Filters can also be configured to send notifications to both administrators and users about the results of the filtering process.

You can filter both Realtime Scan and Manual Scan Jobs. You set the filters for each scan job individually, so each scan job can have its own set of filters.

Forefront Security for SharePoint can filter compressed files and various compressed formats (such as PKZIP, WinZip, OR GZIP), with the exception of password-protected compressed files. It can also look for files embedded in other files—for example, specific image file types embedded in Word documents. It can unpack .zip and other container files, remove specific contents from within them, and then repack them.

Note:

Forefront Security for SharePoint lets you create and maintain lists of filters for use by different scan jobs. For information on creating and working with lists of filters, see “Filter Lists” in the “SharePoint File Filtering” chapter in the Forefront Security for SharePoint User Guide.

Configuring a file filter requires that you first create the filter and then enable it, indicating what Forefront Security for SharePoint will do when the filters identify a file, and specifying the text you want to insert in place of the file.

To understand how Forefront Security for SharePoint handles compressed files, consider a .zip file that contains a .doc file and an .exe file. If you created a file filter to block .exe files, then Forefront Security for SharePoint would unpack the .zip file and remove the .exe file. It would then replace it with a text file that includes the deletion text message, and repackage the .zip file which would then pass to the virus scanning process. Forefront Security for SharePoint would then post any files the scan engines determined to be virus-free on the SharePoint site.

Make sure that State is set to Enabled, and that File Filtering is On.
If it is not, under OPERATE, click Run Job and activate it.

Click Add.
The filters work through a combination of file name and file type, so you must specify both elements.

In the entry field in the File Names section, type the file name or extension you want the filter to look for, and press ENTER.
You can use a full file name (for example, file.exe) or wildcards (as in our example, *.*).

In the File Types section, associate the File Name filter with file types.
In our example, we are specifying a filter for any .exe file, no matter what the file name appears to be. For other examples, see To fine-tune file filters.

Make sure the File Filter is set to Enabled.

Under Action, choose what you want the filter to do when it finds a file that meets the criteria you specified above.Skip: detect only. Records the number of files that meet the filter criteria, but allows the files to be uploaded to or downloaded from the SharePoint site. This is the default for manual scanning.
Use this feature to identify specific files without blocking them and to increase your awareness of activity in the environment. For example, you could see if employees were loading a lot of MP3 files to your SharePoint site and put a stop to it if need be.

For Realtime Scan Jobs

For Manual Scan Jobs

Block: prevent transfer Blocks the download or upload of infected files. Forefront Security for SharePoint notifies the user that a blocked file cannot be saved to the document library with the reason (for example, if it found a virus).

Delete: remove contents Deletes the detected file, inserting a text file in its place that contains the deletion text.

To send notifications to the administrator when the file filter encounters specified files, check Send Notifications. (Find out how to create a notification.)

To save copies of blocked files for later inspection, check the Quarantine Files box.

Note:

Although quarantining files enables you to retrieve those that have been incorrectly tagged, there is overhead involved in doing this, particularly if many files are caught. Ideally, you would want to quarantine files, but you may decide that the more effective course is simply to delete them. (For more information, see Using the Quarantine Database.)

When Forefront Security for SharePoint deletes an infected file, it automatically replaces the contents of the file with a text file that includes the name of the file, the virus it was infected with, and the action taken. The message in the text file is known as Deletion Text.

To see the default deletion text or find out how to change it, see Modifying deletion text.

If you want to block all executables, no matter what the file is named—to catch, for example .exe files with a .doc extension—type *.* in the File Names entry field. For File Types, clear All Types and check the .exe box.

If you want to block certain images, type *.* in the File Names entry field. For File Types, clear the All Types box, and check the file types you want to block.

Create file filters that check files of a certain size. File filters can be set to block files of a certain size using standard comparison operators ( =, <, >, <=, >=) and file size designations (KB, MB, GB). These can be combined with file name and file type conventions. There should be no spaces in the string.

For example:

*.bmp>=1.2MB: Detects any .bmp file equal to or greater than 1.2 MB.

<in>*.com>150KB: Finds any inbound .com file greater than 150 KB.

*.*>5GB: Detects any file greater than 5 GB.

Create file filters to work only on either file upload or file download. This is useful when you want to identify differences and, therefore, set different rules for files that are coming in to or leaving your SharePoint site. To set this filter, prefix the file name with <in> or <out>.

For example:

<in>test.doc: Detects the file named test.doc only if it is entering the SharePoint site.

<out>test.doc: Detects the file named test.doc only if it is leaving the SharePoint site.

Keyword filtering analyzes the contents of files to identify unwanted or prohibited content. By creating keyword filter lists, you can filter documents based on a variety of words, phrases, and sentences.

Configuring a keyword filter requires that you first create and configure the keyword list. Then you enable the filter indicating the actions Forefront Security for SharePoint will take when the filters identify a file. This includes specifying the minimum number of unique keywords that will trigger the action.

Make sure that State is set to Enabled, and that Keyword Filtering is On
If it is not, under OPERATE, click Run Job and activate it.

Make sure the File Filter is set to Enabled.

Under Action, choose what you want the filter to do when it finds a file that meets the criteria you specified above.Skip: detect only. Records the number of files that meet the filter criteria, but allows the files to be uploaded to or downloaded from the SharePoint site. This is the default for manual scanning.
Use this feature to identify specific files without blocking them and to increase your awareness of activity in the environment. For example, you could see if employees were loading a lot of MP3 files to your SharePoint site and put a stop to it if need be.

For realtime scan jobs

For manual scan jobs

Block: prevent transfer Blocks the download or upload of infected files. Forefront Security for SharePoint notifies the user that a blocked file cannot be saved to the document library with the reason (for example, if it found a virus).

N/A

To send notifications to the administrator when the file filter encounters specified files, check Send Notifications. (Find out how to create a notification.)

To save copies of blocked files for later inspection, check the Quarantine Files box.
This saves a copy of the file in the Quarantine list, where it can be examined and, if need be, released. (For more information about quarantines, see Using the Quarantine Database.)

Select the minimum number of unique keyword hits that will trigger the action.
In our example, two of the three keywords listed must appear in the document in order for the filter to take action.